Closed manios closed 3 months ago
I'm guessing you are using libreswan instead of strongswan (which still supports modp104/DH2) because you had it working with libreswan in the past?
From the unknown option "--config"
error, looks like NetworkManager-l2tp isn't compatible with the new libreswan v5.0rc1 and the unreleased version in git. I need to investigate more.
I've rebuilt libreswam 3.32 from the original Ubuntu 22.04 source package, but with USE_DH2=true
, I recommend trying to use it instead :
The changes to the source package can be found here:
You'll note from the changes that USE_DH2=true
and WERROR_CFLAGS
is overridden, the latter because I was getting KU_DIGITAL_SIGNATURE
and similar redefined warnings which became errors because of the default -Werror
argument for WERROR_CFLAGS
.
I would recommend deleting everything in the phase 1 & 2 algorithm text boxes as newer versions of this VPN plugin will offer a combination of algorithms that the macOS and Win11 L2TP/IPsec clients use.
I would also recommend that the Disable PFS checkbox is ticked.
There was a typo which I've fixed up, the URL for the modified libreswam 3.32 was supposed to be:
Hi @dkosovic!
Thank you for your quick response! The reason that I have used Libreswan was that the only advice that I was finding in the internet for modp1024
referred to Libreswan (go figure :yum: ). Your advice has helped a lot and I was able to connect by using your package. I also enabled PFS and I kept the Phase 1 and Phase 2 algorithms because otherwise the connection could not be established. This is my current configuration:
# /etc/NetworkManager/system-connections/VPNchaos.nmconnection
[connection]
id=VPNchaos
uuid=0274aad9-acae-44a9-8f7e-c80f6ecb47ee
type=vpn
autoconnect=false
timestamp=1712089557
[vpn]
gateway=totally.insecurevpn.com
ipsec-enabled=yes
ipsec-esp=aes128-sha1,aes256-sha1
ipsec-ike=3des-sha1-modp1024
ipsec-pfs=no
machine-auth-type=psk
mru=1400
mtu=1400
password-flags=2
refuse-chap=yes
refuse-eap=yes
refuse-mschap=yes
refuse-mschapv2=yes
user=bobos
user-auth-type=password
service-type=org.freedesktop.NetworkManager.l2tp
[vpn-secrets]
ipsec-psk=supersecretpsk
[ipv4]
method=auto
never-default=true
[ipv6]
addr-gen-mode=stable-privacy
method=disabled
The strange thing that I am now facing is that I get this error xl2tpd[30633]: Maximum retries exceeded for tunnel 53807. Closing.
. I have found that you had already helped another fellow in issue #189 who encountered the same error. I have followed your advice and I added the variable NM_L2TP_XL2TPD_MAX_RETRIES=20000
in /etc/environment
as my NetworkManager is in version 1.36.6
and already has the fix of commit #2e5a163. I have restarted and retried but the connection drops after 1.5 minute with the same error:
Apr 3 21:44:39 ubuntu-VirtualBox NetworkManager[30633]: xl2tpd[30633]: Maximum retries exceeded for tunnel 53807. Closing.
Apr 3 21:44:39 ubuntu-VirtualBox NetworkManager[30633]: xl2tpd[30633]: Terminating pppd: sending TERM signal to pid 30634
Apr 3 21:44:39 ubuntu-VirtualBox NetworkManager[30633]: xl2tpd[30633]: Connection 3483 closed to 192.164.172.140, port 1701 (Timeout)
Apr 3 21:44:39 ubuntu-VirtualBox pppd[30634]: Terminating on signal 15
Apr 3 21:44:39 ubuntu-VirtualBox pppd[30634]: Connect time 1.5 minutes.
Apr 3 21:44:39 ubuntu-VirtualBox pppd[30634]: Sent 1243161304 bytes, received 0 bytes.
Apr 3 21:44:39 ubuntu-VirtualBox NetworkManager[535]: <info> [1712088159.0277] device (ppp0): state change: disconnected -> unmanaged (reason 'connection-assumed', sys-iface-state: 'external')
Apr 3 21:44:39 ubuntu-VirtualBox pppd[30634]: Overriding mtu 1500 to 1400
Apr 3 21:44:39 ubuntu-VirtualBox pppd[30634]: Overriding mru 1500 to mtu value 1400
Apr 3 21:44:39 ubuntu-VirtualBox pppd[30634]: Connection terminated.
Apr 3 21:44:39 ubuntu-VirtualBox NetworkManager[30633]: xl2tpd[30633]: death_handler: Fatal signal 15 received
Apr 3 21:44:39 ubuntu-VirtualBox gnome-shell[1011]: Removing a network device that was not added
Apr 3 21:44:39 ubuntu-VirtualBox NetworkManager[30723]: 002 "0274aad9-acae-44a9-8f7e-c80f6ecb47ee": terminating SAs using this connection
Apr 3 21:44:39 ubuntu-VirtualBox NetworkManager[30723]: 002 "0274aad9-acae-44a9-8f7e-c80f6ecb47ee" #2: deleting state (STATE_QUICK_I2) aged 92.541s and sending notification
Apr 3 21:44:39 ubuntu-VirtualBox NetworkManager[30723]: 005 "0274aad9-acae-44a9-8f7e-c80f6ecb47ee" #2: ESP traffic information: in=561B out=1076MB
Apr 3 21:44:39 ubuntu-VirtualBox pppd[30634]: Exit.
Apr 3 21:44:39 ubuntu-VirtualBox NetworkManager[30723]: 002 "0274aad9-acae-44a9-8f7e-c80f6ecb47ee" #1: deleting state (STATE_MAIN_I4) aged 92.744s and sending notification
Apr 3 21:44:39 ubuntu-VirtualBox nm-l2tp-service[30281]: ipsec shut down
I also disabled xl2tpd
service as I read in Connecting to an old modp1024 L2TP Ipsec VPN on Ubuntu 21.04:
sudo systemctl stop xl2tpd.service
sudo systemctl disable xl2tpd.service
sudo systemctl unmask ipsec.service
Maybe do you have any other idea what I might be missing? Maybe should I give try to use katalix/go-l2tp instead of xl2tp
?
Thank you beforehand for your time and help,
Christos
Going back to phase 1 & 2 algorithms, the supported phase 1 algorithms reported by the ike-scan.sh
script in the original post were:
As your VPN server supports modp1536, you shouldn't have needed DH2 support, i.e. modp1024.
For phase 2, Win 10 & 11 clients offer the following proposals (which is also the default now for this VPN plugin):
PFS is part of the phase 2 proposal negotiations with the VPN server. Older VPN servers generally don't support PFS and fail if PFS is enabled. In your case you needed to disable PFS.
I can understand that the "Disable PFS" checkbox would need to be ticked, but odd that it didn't work with empty phase 1 & 2 algorithm boxes, although isn't without precedent for the phase 1 box as some older VPN servers can get overwhelmed by the number of proposals.
Regarding the dropped connection after 1.5 minutes, it's most likely a routing issue, see issue #132. After VPN connection has been established, try route del
{gateway IP address}
, its less likely to be the 1.5 minute dropped connection issue #140. I don't think settingNM_L2TP_XL2TPD_MAX_RETRIES
would be necessary for routing issues.
Hi @dkosovic !
The issue behind the disconnection was indeed #132 . The connection was adding an extra route. After connecting I deleted the route and the VPN connection worked as expected!
Thank you for your help and your valuable input!
Best regards, Christos
Dear maintainers,
We try to connect in Ubuntu 22.04 to an IPsec L2TP VPN with a PSK which uses (how strange?? :smiley: ) deprecated and removed DH2 algorithms! In Windows 10, the VPN connection works and has the following configuration:
Windows setup
PPP Settings:
Security settings:
Advanced Security settings:
ike-scan
The output of running the script
ike-scan.sh
that you mention in the Known Issues (link) is the following:Ubuntu 22.04 configuration
Ubuntu Version
Our configuration in Ubuntu Linux is the following based on the Windows configuration:
Error logs
However when we try to connect, we get the following errors :
g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
. You can see the complete logs if we runsudo tail -f -n 10 /var/log/syslog
Build Libreswan and NetworkManager-l2tp from source
We have built Libreswan from source:
and also NetworkManager-l2tp using the
--enable-libreswan-dh2
option (in commit 031e9e0):We are trying for more than 8 hours to find out why we cannot connect and we are quite sure that we do something completely wrong... Maybe can you spot any problem with our configuration?
Sorry for the long post, we hope that if we can give you as much as details as possible maybe you can spot something without losing much valuable time.
Thank you beforehand for your time and help,
Christos